MICROCOPY  RLSOLUIION  TIST  CHARI 

%Al  HURF Ai i 1 ' ANI>AW[i'j  !■'»(  • ♦ 


DOC  FILE  COPY  _ | ADA  045  057 


r- 

r^ 

CT; 


Bcnnct  P.  l.iontz,  Ph.D.,  and  Ira  FI  Weiss,  Ph.D. 

ho  \ / ( 1 1 n p rp  h 1 1 i tv 

§ It  L 'C,**  £ CbOvi  fa  § fa  fL 


/O 

05 


>.  m n * p i 


5 - «. 


* * ■ ■ V I' 

jT  r a 


..  . „ , . . _ -<*  •:  6 1 (•  . 

* f>  b i>  kj'  Wb  fer  W i * Wi  ***  *•  **  a fc 


Some  of  the  problems  associ- 
ated with  computer  auditing  are 
elated  to  AiCPA  Statement  on  Au- 
diting Standard  No.  3.  The  authors 
aroposo  means  for  dealing  with 
he  problems  until  improved  inter- 
nal computer  security  methods  are 
implemented. 


flcnnei  P.  Lientz, 
Ph.D.,  Associate  Pro- 
fessor of  Computers 
and  Information  Sys- 
tems. Graduate 
School  of  Wanagz- 
meat.  University  cf 
California.  L.A..  is 
author  of  many  pa- 
pers and  a text  hook 
on  information  sys- 
tems. Ira  Ft.  Weiss, 

Ph  D.  (pictured 
above).  Assistant  Pro- 
fessor of  Accounting 
and  Information  Sys- 
tems. Graduate 
School  ol  Business. 
NYU.  is  currently  de- 
veloping an  in-depth 
computer  auditing 
course  lor  NYU . . 


Introduction 

Most  auditing  procedures  for 
computer-based  systems  relate  only 
to  those  aspects  that  can  be  readily 
reviewed  and  understood.  The 
problem,  however,  is  much  more 
general  and  includes  the  total  envi- 
ronment cf  the  system  including 
ope.ating  systems  and  telecom- 
munications. This  environment  has 
been  shown  to  be  vulnerable  in 
such  a way  that  it  may  affect  the 
financial  condition  and  life  cycle  of 
tho  firm.  Examples  of  this  vulnera- 
bi'ity  are  cited  in  a report  of  Stan- 
ford Research  Institute. ' Even  with 
the  most  sophisticated  organiza- 
tional arid  application  controls,  the 
remaining  parts  of  the  systems  en- 
vironment are  substantial  and  the 
problems  associated  with  tnese  ele- 
ments can  be  catastrophic  to  the 
organization. 

From  reviewing  the  AICPA 
Statement  on  Audit. ng  Standards 
No.  3 (SAS  No.  3)  and  some  of  the 
literature  on  computer  auditing,  it 
becomes  evident  that  more  is 
needed  to  insure  the  integrity  of  the 
systems  being  audited.  Further  au 
diting  procedures  must  be  insti- 
tuted' to  insure  compliance  with  the 
intent  of  SAS  No.  3. 

What  Is  SAS  No.  3? 

SAS  No.  3 indicates  that  inter- 
nal controls  in  the  data  processing 
installation  should  be  evaluated 
when  computers  are  used  in  pro- 
cessing a significant  number  of  ac- 
counting applications  SAS  No.  3 
further  points  out  that  'he  auditing 
examination  should  be  performed 
by  persons  with  adequate  technical 
training  as  and  tore  In  evaluating  a 
computer-based  system,  this  im- 
plies that  auditors  must  not  only  be 
competent  in  undr  u tending  audit 
objectives,  hut  also  in  understand- 


* Tn  ■»  v-CfV  t «•  W •'led  by 

tlf<?  lr.V.  rn\>*  V , ' *'•  ...  • • of 

Ha* n1  ft  rch  wr.'Jo*  cor.lMr?  NUOOM-75- 

C*0?t*6.  pfOJ  it  HO  0.1  445  „ 


• Dor..rH  r P.*'»  r **  C^t 

Conference  on  Cotnpuvr  Aousr.  o!info»<1 
K** march  Institute.  1974 

r r : . • 


ing  of  computer  concepts  to  be 
able  to  identify  the  strengths  and 
weaknesses  of  the  system. 

SaS  No.  3 points  to  several 
types  of  controls  t fiat  should  be 
evaluated,  including  the  following: 

1.  Organizational  plan  and  op- 
eration of  activities: 

2.  Procedures-xetating  to  docu- 
mentation. review,  testing  and  ap- 
piovat  of  systems  and  systems 
changes: 

3.  Contro's  for  hardware: 

4.  Access  controls  to  equip- 
ment and  files; 

5.  Application  controls  relating 
to  input,  processing  and  output; 

6.  Segregation  of  functions  re- 
lating to  both  manual  and  computer 
operations  (e.g..  the  same  person 
should  not  bo  allowed  to  write  a 
program  to  process  vendot  invoices 
and'be  able  to  submit  transactions 
to  that  program  for  operational 
processing). 

In  concluding,  the  siatoment 
considers  some  procedures  to  re- 
view these  controls. 

Computer  Auditing --State  of 
the  Art 

Today,  over  100,000  computers 
are  in  use  worldwide  with  over  80 
percent  of  these  storing  and  pro- 
cessing financial  records.3  In  terms 
of  SAS  No.  3.  a good  portion  of 
these  installations  are  processing  a 
significant  amount  of  accounting 
information  and  should  be  evalu- 
ated, as  pait  of  the  organization, 
for  strengths  and  weaknesses  in  the 
control  functions.  Yet,  many  com- 
panies are  doing  today's  computer 
audit  v.oik  with  yesterday's  auditing 
expertise  in  terms  of  experience 
and  education.3  Ihe  EDR  environ- 
ment has  changed  substantially  m 
the  last  decade.  Unit  rcccd  equip- 


s Po‘>«t*.  I ?!***Tf‘  ' \V5*>  I"  r'A«p; 
fOf  i «•  t 

Frhruw  1?75 

' •r.if*  r.  '<**•“■  - ,1  C rrv 

puir:  Auvi't  f .**.  Journal  cV  AiCdVPl 
nr;  j-,  April  1974 


17 


cpa  / MARCH  1977 


ment  techniques  have  evolved  into 
sophisticated  operating  systems, 
teieproce  .sing.  data  base  systems, 
multiprogramming  and  multipro- 
cessing environments.'  We  would 
expect  the  firm  which  possesses 
these  processing  capabilities  to 
have  more  technical  expertise  in  an 
operational  sense  than  an  inde- 
pendent auditor,  when  the  auditor 
has  not  been  trained  as  a technical 
computer  information  systems  spe- 
cialist. 

What  is  the  impact  of  this  prog- 
ress on  the  auditor?  The  traditional 
internal  cont.-ol  evaluation  becomes 
somewhat  more  complex.  Areas  of 
concern  are  segregation  of  duties 
which  might  be  blurred  by  highly 
integrative  systems  and  the  oartral 
or  total  disappearance  of  the  audit 
frail.5  These  developments  give  rise 
to  a multiplicity  of  interactions 
within  advanced  systems,  on  a real- 
time basis,  widening  the  potential 
error  rate  and  potential  fraudulent 
activity  at  any  given  time.  After-the- 
fact  tests  of  compliance  and  control 
may  be  insufficient  to  meet  present 
day  audit  requirements.6  The  num- 
ber of  transactions  processed  daily, 
projected  to  a monthly  basis,  could 
be  so  voluminous  that  a center 
undergoing  undetected  penetration 
or  errors  in  processing  could  be  so 
severely  affected  that  the  going 
concern  concept  for  that  company 
could  become  invalid  prior  to  an  m- 
depth  audit.  Therefore,  the  need  for 
continuous  system  integrity  reviews 
appears  imperative. 

Again,  what  are  the  implica- 
tions of  these  problems  to  the  audi- 
tor? The  auditor  .r.  (tie  attest  func- 
tion states  that  the  financial  state- 
ments fairly  represent  the  financial 
position  ot  the  company.  Given  an 
unqualified  statement  the  auditor  by 
implication  states  that  the  firm's 
liquidity  is  adequate  to  support  the 
going  concern  concept  Yet  there 
have  been  many  cases  of  docu- 
mented computer  abuse  totaling  in 
the  millions  of  dollars.  After  the  fact 


4 E- cii!or*at  Technical  Profir»<vicy  for 
Auditing  Computer  Processed  Accounting 

r 

19  7rj 

'•  Carl  Pah*t  Wf  .it  ah  ti  .*  Fu  s About 
fnp  ■ c ' • 1 0 ’ • v:  j . V2"-\ 

• Geo ro-  fottersb.icn  pr  i b M mr  Jf  , 
Auditn  j Aclvi’f  r ? d Sj-jN.ms.  joi.rr,.  of  Ac- 
countancy. Jwr*»>  1974 


auditing  might  in  fact  locate 
abuses,  but  there  ;s  still  the  issue  of 
responsibility  for  loss  d tha  firm 
cannot  recover  from  these  abuses. 

In  Equity  Funding  management, 
auditors  and  computer  vendors 
were  all  named  as  parties  to  a 
"computer"  fraud. 

What  then  is  the  current  state 
of  the  art  in  computer  auditing? 
Computer  auditing  may  be  consid- 
ered as  having  two  component 
parts.  First,  the  computer  is  utilized 
in  many  audits  as  a too!.  Extension 
testing,  depreciation  calculations, 
present  values,  toot-no.  conf.rrn.v 
tions.  aging,  statist  cal  sampling, 
etc.  are  some  of  trie  functions  that 
can  be  accomplished  through  the 
computer  on  a timely  and  cost 
effective  basis.  Thu  aspect  of  com- 
puter audihng  is  being  utilized  with 
gieat  frequency.7  The  auditor  is 
able  to  identity  dire:'  benefits  from 
tins  audit  tool  ana  t!  o audit  can 
then  be  a scientifically  sampled  ver- 
ification of  financial  statements 
rather  than  a heavy  clerical  burden 

The  second  aspect  of  computer 
auditing  can  be  referred  to  as  data 
center  reviews,  which  encompasses 
the  main  thrust  ot  SAS  No.  3.  This 
entails  a review  and  analysis  of 
operations,  security,  applications 
and  general  internal  control  func- 
tional tests.  Here  tno  auditor  is 
faced  with  some  problems.  Levine8 
depicts  11  basic  concerns  of  the 
auditor  in  this  area,  highlighted  by 
keeping  curient  in  EDP  and  its 
audit  impact.  Fie  also  addresses 
some  aspects  of  what  auditors  need 
to  enable  them  to  address  trie  audit 
with  sufficient  com p : mey  includ- 
ing utilization  of  monitoring  sys- 
tem.. methods  c!  evaluating  sys 
terns  integrity  and  standard  soft- 
ware controls.  Weber"  goes  further 
by  insisting  that  operating  systems 
be  audited  periodically  necause  the 
integrity  of  the  entre  system  is 
controlled  by  the  operating  system 
Yet.  since  the  lech n. cal  aspects  of 
operating  systems  p.'C  so  complex, 
the  auditor  views  this  aspect  as  a 


* tvrrrctl  C Johnson  0 r to  Compjtvr  As 

> i 1 i * » Trr?1  ' ** r a . »v 

’ f Ci  ■ A.  si  ’ I fu  ..  * • 

for  Adv  .-  re  -4  Sv'/""  J '•’*/' o'  Ac  ru  : 

• • ••  b 10". 1 

Mon  VVrOvi  Am  Au.M  . t v-  Of 

Op*  r.,  !e;i1  fv  .. ?t>  .n  (,l  Ac 

Count  in^y , Scptt;7iii  « r 19  S 


low  risk  area  This  may  he  a critical 
error  o1  the  auditor  and  will  be 
discussed  further  in  ttie  next  sec- 
tion 

To  summarize  the  state  of  the 
art,  the  auditor  utilizes  the  com- 
puter as  a tod  in  a relatively  effi- 
cient manner.  But  in  a data  center 
review  the  extent  to  which  controls 
are  evaluated  is  often  limited  to  the 
visible  physical  security  and  appli- 
cations controls.  In  doing  this  the 
auditor  relies  on  technical  systems 
such  as  telecommunication  net- 
works and  operating  systems  that  in 
fact  might  be  used  to  overnde  and 
change  the  very  applications  that 
have  been  auditea.  juaged  appro- 
priate and  outputs  relied  cm  without 
extensive  substantive  testing 

Problems  Remaining 

As  pointed  out  in  the  previous 
two  sections,  there  are  areas  of  the 
systems  environment  that  are  not 
explicit1/  addressed  hy  SAS  No.  3. 
For  example,  suppose  a system  is 
operational  within  a computer 
mode  and  a penetrator  is  seeking  to 
enter  the  system  and  gain  access  to 
data  and/or  programs  by  using  a 
terminal.  If  the  computer  system  is 
a general  time-sharing  system,  the 
data  and  programs  are  available  to 
authorized  users  during  certain 
times.  The  data  and  programs 
could  relate  to  accounts  payable, 
inventory  shipments,  personnel 
data  or  product  development. 

Ttie  penetrator  first  attempts  to 
enter  the  system  using  the  telecom- 
munications network.  Even  if  the 
system  u , password  protected,  and 
ttie  password  cannot  be  broken,  the 
penetrator  can  resort  to  masquer- 
ading (penetrator  represents  an  au- 
thorized user),  eavesdropping  (lis- 
tening in  at  random),  wiretapping 
(listening  at  determined  times  and 
recoidmg  data  over  the  lines),  pig- 
gybacking or  between  lines  (pene- 
trator uses  system  when  the  author- 
ized user  is  signed  on  but  not 
active,  or  is  given  disguised  mes- 
sages!. Alternatively,  the  penetrator 
may  be  able  to  reduce  the  author- 
ized users'  password  by  the  charac- 
teristic® of  room  location  initials, 
scc.u.i  . "Cu;  / n cnii..  , c rihuate, 
artdrt  ■ or  th  1 dat  • it . nable 

; . .!  . .■  'i. 

Alter  th'  penetrator  has  suc- 
cessfully entered  the  system,  an 


THE  VUL  NERABIl  IT  Y OF  COMPUTED  AUDI  I ING  j Cpij 


i 

i 

i 

l 


attempt  can  be  made  to  ovornde 
ttio  operating  system  and  move  into 
ttie  privileged  mode  (where  the 
penetrator  has  the  ability  to  affect 
the  system  itself).  At  this  point  the 
penetrator  disables  or  diverts  the 
compute!  accounting  system  such 
that  the  activity  (i.e  . audit  trail*  of 
the  system  is  blurred  Now  the  pen- 
ctrator  can  initiate  unauthorized 
transactions  a'ter  program  and  sys- 
tems logic,  destroy  information,  ob- 
tain or  view  highly  sensitive  infor- 
mation or  can  accomplish  <;i!  that  is 
possible  by  his  or  her  own  creativ- 
ity. The  penetrator  now  having 
completed  the  above  task  signs  off 
Ihe  computer  system  undetected 

There  are  several  implications 
in  this  simple  example  First,  unau- 
thorized transactions  can  seriously 
impair  the  operational  integrity  of 
the  system.  The  financial  state- 
ments, depending  on  the  system, 
may  not  reflect  the  true  state  of 
affairs  of  the  company.  A second 
implication  is  the  recognition  that 
competition  within  an  industry  com- 
bined with  precedents  of  lenient 
attitudes  toward  white  collar  crime 
and  the  available  technology  makes 
such  approacheo  more  s.t.act.ve 
and  limited  in  risk.  A third  implica- 
tion is  that  if  only  the  content  of 
SAS  No.  3 is  followed,  the  internal 
controls  could  be  judged  sufficient, 
giving  the  auditor  comfort  in  relying 
on  the  outputs  generated,  when  in 
fact  they  were  not  due  to  the  com- 
puter and  communications  environ- 
ment of  the  system  (i.e.,  possibility 
of  penetration). 

To  summarize,  these  three  im- 
plications may  impact  the  firm 
which  relies  heavily  on  computer 
systems  by  indicating  the  threat, 
the  effect  on  operations,  financial 
statements  and  the  on-going  con- 
cern concept,  and  the  need  for 
additional  and  more  sophisticated 
controls. 

Security  Measures 

One  study'0  has  indicated  that 
there  aie  no  secure  operating  sys- 
tems commercially  available  and 
that  there  is  no  way  today  ol  certify- 
inq  secure  rc  mputer  systems  It  is 
essentia!  then  that  interim  measures 


be  employed  until  secure  operating 
systems  become  a reality." 

Exhibit  I reprcs?nts  a t-  hle  of 
penetration  methods,  recovery 
measures  if  penetrated,  preventive 
security  measures  and  cost  ele- 
ments of  implementing  the  security 
measures.  This  Exhioit  can  be  uti- 
lized to  address  the  example  pre- 
sented earlier.  To  counteract  pene- 
tration o?  communication  lines: 
data  can  be  encrypted  (coded),  sys- 
tem-generated random  dialogues 
utilized  (system  queries  user  at  ran- 
dom witn  regard  to  personal  char- 
acteristics), alternate  routing  of 
messages  and  multiple  passwords 
per  transaction  can  be  required 
The  techniques  in  the  computer 
center  I'so'f  inoi.de  encrypted  files 
ar.d  programs,  automatic  cancella- 
tions upon  unauthorized  attempted 
access,  accounting  programs  that 
are  not  controlled  by  operating  sys- 
tems. but  by  input/output  contiol- 
lers.  disk  controllers  that  are  hard- 
wired for  security  techniques  ano 
access  authorization 

The  Exhibit  is  not  at!  inclusive, 
but  represents  some  techniques 
that  can  be  employed  when  weak- 
nesses are  discovered  t the  opera- 
tions of  a oata  center.  T he  auditor 
should  be  aware  that  there  are  in- 
terim techniques  available  to  par- 
tially control  access  end  penetra- 
tion when  these  arc  considered 
high-risk  areas. 

In  general,  theie  should  always 
be  passwords  on  files  when  possi- 
ble, read/write  restrictions  it  appro- 
priate, accounting  systems,  pro- 
grams in  load  module  form  and 
counteractive  systems  measures 
when  mistakes  are  made  either  in 
the  log-on  procedure  or  access  pro- 
cedure. Starting  with  the  above 
measures,  utilizing  some  methods 
given  in  the  table  and  employing 
intelligent  and  alert  personnel  will 
insure  more  confidence  and  less 
risk  within  the  computer  system 

Developing  Cost-Effective 
Approaches  to  Security 


Implementing  a!!  possible  coun- 
termeasures is  not  warranted  or 
cost  effective.  Overkill  to  counteract 
improbable  penc-u  mon  cun  se 


’■*  If’M.  O.ilj  Security  end  D,i' i F’rotoss*  " ft  C C.i,n,in<i  Piolectirg  Vj'u  .,  1 > 

mg."  IBM  Corporation.  (i320-13/0  0.  1*74  data  f’aitll  tm  Ar  -yew.  February  IS'* 


i 

i 
i 

i 

verely  affect  the  cost  and  perform- 
ance of  systems  Organizations  and 
independent  auditors  can  employ 
simulation  techniques  and  usk 
analysis”  to  identify  the  highly  sen- 
sitive and  exposed  areas  where  the 
major  control  efforts  should  be 
placed. 

There  ate  basically  three  areas 
to  be  observed  when  reviewing  the 
internal  controls  of  data  ccn 
tors  operations,  physical  security 
and  software  security  T oi  opera- 
tions. tf.e  same  guidelines  should 
be  imposed  as  when  reviewing 
manual  systems  Typical  functional 
areas  arc  input,  operations,  pro- 
gramming and  maintenance,  library 
and  output  When  the  organiza- 
tional Iramework  is  set-up  m this 
manner,  the  review  can  be  struc- 
tured to  lock  at  segregation  of  du- 
ties and  control  functions.  The  li- 
brarian controls  programs  and  data 
while  tine  input  section  controls 
new  transactions.  The  programming 
arid  maintenance  functions  are  sep- 
arate Therefore,  there  is  no  possi- 
bility of  changing  programs  to  fit 
new  data.  Controls  that  can  be 
implemented  ate  logging  proce- 
dures of  programs  utilized,  authori- 
zation for  programming  changes, 
appropriate  dissemination  of  output 
and  explicit  operational  directions 
for  operators.  A wealth  of  literature 
is  available  describing  adequate 
physical  security.'3 

The  approach  to  reviewing  soft- 
ware security  is  not  defined  as  pre- 
cisely as  the  other  areas.  One  rea- 
son for  this  is  that,  given  the  most 
sophisticated  software  security 
available,  f enelration  may  still  be 
possible.  The  approach  must  be  a 
probability  technique  accessing 
high  risk  areas  Once  these  areas 
have  been  identified  one  can  pick 
the  measure  available  that  would 
most  satisfy,  in  cost  and  perform- 
ance, that  particular  need. 

The  most  effective  approach 
might  be  the  one  most  common  to 
auditors  tod  :y.  the  qut  : tionnaire 
Through  this  method  we  try  to 
quantify  both  the  impact  and  proba- 


* tin.  S,  , ■ , 
h*  yd-.  t ' c "i  ” C,  ; i n 

' ■ ••  • .-i  ■ • i 

' I I * k.  ©f'  I.i'.iph  . f'i 

C ■ • 1 • 

fat  . ii  V-  u C-‘  ‘ . ? \ D.  1 • • 


> .••■J 
•vc  cm3 


•Cxi!  Set u 
* * Co 


10 


I 


QIO  f MARCH  1077 


EXHIBIT  I 
E Vulil  List 


Event 

Recovery  Measure 

Preventive  Measure 

Elements  o!  Cost 

Attempts  through  commu- 
nication lines  (see 
dsbrnbons  under  • 
"Problems  Remain- 
ing") 


• Masquerading 

Retain  back-up  files 

Levels  of  Passwords 
Transformation  Functions 
Random  Dialogues 
Encrypted  Files 

Software  costs 

Encryption/Decryption  Devices 
(coding  and  decoding) 

Effect  on  System 
Performance -increased  sys- 
tems overhead 

• Wiretappinq/Eaves- 
droppiiig 

Retain  back-up  files 

Cryptography 

Alternate  Routing  of  Messages 

Softwaid  Costs 

Encryption  .'Decryption  Devices 
Effect  on  System  Performance 

• Piggybacking  or 
Between  Lines 

Attempts  through  Com- 
puter Systems 

Retain  back-up  files 

Cryptography 
Random  Dialogues 
Levels  of  Passwords 
Continuous  Passwords 
With  Each  Transaction 
Automatic  Shut  Offs  After  n 
Seconds  of  Nonuse 

Software  Cosis 

Encryption/Decryptlon  Devices 
Effect  on  System  Performance 

• Unauthorized  Attempt 
to  Enter  System 

Retain  back-up  files 

All  Identifies!  on  "Authorization 

Measures 

(a)  passwords 

(b)  dialogues 

(c)  transformation  functions 

(d)  magnetically  encoded  cards 
If  detected  immediate  disabling  ac- 
tions 

Software  Costs 

Effect  on  System  Performance 

• Browsing 

Retain  back-up  files/ 
none 

Functional  Passwords 
Transformations 
Read/Wnte  Restrict 
Encrypted  Files 
- Intelligent  Disk  Controllers 

Software  Costs 
Hardware  Costs 
Encryption/Decryption  Devices 
Effect  on  System  Performance 

• Override  Operating 

Retain  back-up  files/ 

. Automatic  Cancellations 

Software  Costs 

System 

none 

Upon  Unauthorized  Action 
Accounting  System 
Independent  of 
Operating  System 
System  Monitors 
Encrypted  Files 

Personnel  Costs 
Encryption/Decryption  Devices 
Effect  on  System  Performance 

bility  of  an  occurrence.  This  ena- 
bles the  following  questions  to  be 
addressee!.  Can  the  occurrence  be 
tolerated7  Can  the  dollar  impact  be 
lowered  or  can  the  probability  be 
lessened?  This  type  of  analysis 
measures  the  value  of  an  asset  to 
the  firm  and  the  amount  of  re- 
sources to  allocate  to  the  asset  for 
protection.  Tor  example,  a system 
might  contain  two  resident  disk 
packs.  On  one  pack  data  pertain- 
ing to  census  information  is  stored 
On  the  other,  product  development 
informat  ..a  is  clored  f . eh  disk  has 
an  equal  probability  of  being  pene- 
trated Yet  the  outcomes  o(  suc- 


cessful penetration  are  quite  differ- 
ent depending  on  which  pack  is 
chosen.  We  can  tolerate  penetra- 
tion of  the  census  data.  It  is  public 
information  and  at  worst  duplica- 
tion would  be  the  final  outcome  for 
the  firm  It  is  obvious  that  the 
answer  dramatically  changes  under 
the  product  development  assump- 
tion. Here  penetration  cannot  be 
tolerated,  so  that  there  is  concern 
about  the  dollar  impact  and  abort 
lessening  the  probability  of  pen-tra- 
tion.  Wc  have  now  put  a row  typo 
of  value  on  an  as  ■ Wei  ight  call 
it  an  exposure  v,  . or  cos!  of  loss 
of  exclusive  use.  Though  product 


development  information  may  be 
totally  useless  without  proper  de- 
mographics. the  information,  con- 
sidering exposure  value,  is  quite 
different. 

Through  Exhibit  2 vvu  attempt 
to  give  the  organization  and  inde- 
pendent auditor  sonic  points  to 
consider  and  questions  to  answer 
to  develop  proper  exposure  values 
or  probabilities  ot  penetration. 
Thorp  'S  MO  /-!t  /-  r-v  tU  '-i  -f 

achieving  th  vVues  since  they 
are  iri  l.ril.-l.  . n ch  luF-r.t  As  the 

C'.'.j'L'.-i*!  • Ji  *1  • • uu.)»  v » • 1 U L‘  i I O 

through  its  uneiteneptej  accessi- 
bility, tne  risk,  of  exposure  is  in- 


20 


THE  VULNERABILITY  OF  COMPUTER  AUDITING 


/ :Cp3 


EXHIBIT  2 

Risk  Analysis  Questionnaire 


Telecommunications 

• Identify  systems  that  are  dependent  on  telecommunications 

• What  are  the  log-on  procedures? 

-Do  they  temuin  constant  or  change? 

• What  type  of  data  is  transmitted? 

• • Whnt  is  the  sensitivity  of  the  data? 

• What  is  the  frequency  of  data  transmission? 

• What  is  the  volume  of  data  transmission? 

• What  has  been  the  experience  with  retransmission  or  lost  messages’ 

• Are  telecommunication  systems  data  entry  systems  oniy  or  retrieval  and  processing  systems  as  well? 

• Is  the  system  restricted  to  certain  terminals  or  can  trie  system  be  dialed  up  from  any  compatible  terminal’ 

• Whnt  type  of  communication  system? 

• Are  long  time  lags  experienced  between  responses’ 

• Are  the  users  of  the  system  heterogeneous  or  homogeneous  organizationally’ 

• What  secuiity  procedures  are  currently  employed? 

Computet  Operations 

• Identify  on-lirte  systems 

• What  are  the  log-on  procedures? 

— Do  they  remain  constant  or  change? 

• Are  all  programs/data  protected  in  some  manner? 

-Password  protection’ 

— Encryption? 

— Read 'Write  restrictions? 

- Do  they  remain  constant  or  change? 

• Does  the  operating  system  control  the  checking  procedures  for  the  protection  methods’ 

• Has.  to  your  knowledge,  the  operating  system,  e ther  intentionally  or  accidently,  been  overridden? 

• Have  requests  been  made  to  your  system  which  were  answered  by  date  irrelevant  to  the  quest.cn.  but  considered  sensitive 

data? 

• Is  there  an  up-to-date  accounting  program  employed  by  your  system’ 

— Is  it  controlled  by  the  operating  system? 

• Are  there  procedures  employed  to  cancel  programs  that  exceed  Iheir  authority? 

• Are  all  vendor  supplied  security  features  employed? 

-If  not.  why  not’ 

• Are  there  periodic  checks  that  current  production  programs  conform  to  the  authorized  version? 

• Can  a program  be  run  if  it  is  not  cataloged’ 

• Organizationally  speaking,  is  the  computer  used  by  a heterogeneous  or  homogeneous  set  of  people? 

• What  are  the  security  features  currently  employed? 


creased.  It  is  then  up  to  installation 
management  or  independent  audi- 
tors to  consider  whether  resources 
should  be  allocated  to  that  asset. 

This  approach  can  serve  as  a 
guideline  for  the  design  and  (he 
continuous  auditing  of  She  system. 
The  approach  aims  to  identity 
where  controls  should  be  placed  to 
assure  reasonable  processing  of 


data  in  a cost  effective  manner. 

Conclusion 

With  the  development  of  SAS 
No.  3.  the  independent  auditing  firm 
that  audits  clients  with  significant 
accounting  computer-based  appli- 
cations systems  has  more  responsi- 
bility for  assessing  computer-based 


Indenture's  History 


controls.  The  responsibility  must  be 
met  with  technical  expertise  and  an 
understanding  of  the  environment 
of  application  systems  for  com- 
puters and  telecommunications. 

The  scope  of  controls  necessitated 
by  this  environment  must  be  broad- 
ened and  the  auditing  firm  must  be 
knowledgeable  enough  to  audit  the 
total  system  to  address  these  ele- 
ments of  the  environment. 11 


The  modern  finance  term  "indenture."  referring  to  tire  legal  agreement 
between  the  corporation  issuing  the  bonds  and  the  trustee  reptesentmq 
the  bondholders  covering  terms  of  tire  bond  issue  and  the  icstncticns 
placed  on  the  company,  had  its  origin  in  colonial  America  Individual 
wishing  to  come  to  America  would  t-md  themselves  to  a master  in  America 
in  return  for  their  passage  over.  In  tins  system  of  temporary  sr-.itude, 
upon  iho  completion  of  a period  ol  seivice,  the  individual  would  eu-n  his 
Ire*  Join  riu-^  pi 'Pp  e v. . i • r ■ .o 1 1 . ->  i > , i . u sei » s * - 
the  papers  recordi'i  i the  contract  rvpois  which  were  cut  or  torn  with  an 

iud'  . olurcft  f do :•  . n th.  * th  *.•.•-  - on'1' on-i s to 'ho  m~ < m>. 

Oihet  to  the  servant,  would  correspond  - Excerpt  irom  V-an.  Ago  in 
Accounting  " by  Lawrence  C.  Sunclby.  Eh  D and  Robert  C Ks-tim , CRA. 
The  People  of  Arpue  Anclorf  n .1  Co  September  1976 


21 


St  cum  TV  Cl  ASSlf'l  CATION  or  This  PAGE  (Wbei.  Data  t nter»d) 


REPORT  DOCUMENTATION  PAGE 


KL'.AD  INSTRUCTIONS 
[IK FORK  COMPl.KTINl.  I'ORM 


CtrOBT  NUMBER  ( rp 


Technical  Reptrr*rl 77- 


4.  T|TlE  (and  Subtitle) 


.The  ^Vulnerabil  ity  of  Computer  Auditing1 


6.  PERFORMING  OSG.  REPORT  NUMBER 


7.  AuTHORflJ 


Bennet  Pylientz  atet-  Ira  R.^/Weissj 

9.  PERFORMING  0«G4M2*.TI0h  n AmE  *H3  ADORtSS 

Graduate  School  of  Management 

University  of  California,  Los  Angeles  90024 

II.  CONTROLLING  OFFICE  name  ANO  ADDRESS  . 


,1'RACT  OR  GRANT  HUMBERf.; 


| NQ001 4-75-C-/02G5 

•TD . POGRAM  ellm  e i7t*  project  , t/ 

AREA  6 ViORK  UNIT  NUMBERS 


-34^ 


Information  Systems  Pro  gran 


NR  049 


Marc^i  V977 , 


r\  • rt  \r  “ti  t . i »r  N'— ■ ^ 1 3 . NUMUL  fiJtfT  PAGES 

Otiice  oi  Naval  Kesearcn,  Arlington,  7a. 


14  MONITORING  AGENCY  name  a ADDRESSf/l  dlllorvnl  Iron  Conlr ol.N.ig  OllUc) 

^ V-I 1 


-W  U, 


5.  SECURITY  Class,  (ol  thic,  leport) 

unclassified 


I be..  DECL  ASSJFJCAT  ICN  DOWNGRADING 
SCHEDULE 


M6.  DISTRIBUTION  ST  AT  EM  EN  T (of  thl  s Report) 


distribution  oi  this  docvunrait  is  unlimited 


| 17.  DISTRIbUT  ION  ST  A l EMI. NT  (of  the  abstract  entered  In  Ulock  JV,  tt  dltterent  iron i Report) 


10.  SUPPLEMENTARY  NOTES 


19.  KEY  WORDS  (Continue  on  reverse  aide  II  necessary  acid  Identity  by  block  number ) 

Computer  auditing 
Security  measures 
Software  controls 

20.  ABSTRACT  (Continue  on  reverse  aide  II  necessary  and  Identity  by  block  number) 


An  analysis  is  made  of  potential  security  methods  that  can  be  employed 
until  there  exists  more  secure  systems.  Cost-effectiveness  of  security 
measures  is  examined  along  with  recovery  an'  preventive  measures.  Risk 
analysis  questions  are  raised. 


DD  , , 1473  EOlTlON  OF  1 NOV  65  IS  OBSOLETE 

S/N  0102-0  14*  660  1 | 


unclassi fled 

SECURITY  CL  ASSI  MCAT  ION  OF  THIS  PAGE  fUTi.n  f'.r.  /Tnl.r.rf; 


k. L 


A 


